the original cloud security

Samba nttrans Replay Integer Overflow

Samba nttrans Replay Integer Overflow
Posted Aug 21, 2013
Authored by x90c

This is a brief paper detailing the Samba nttrans reply integer overflow vulnerability.

tags | paper, overflow
advisories | CVE-2013-4124
MD5 | 2dd13b92c134e4d1285d33a405573e06

Samba nttrans Replay Integer Overflow

Change Mirror Download

Exploitation: samba nttrans reply integer overflow

___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / \__. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|


CVE-2013-4124 samba integer overflow in nttrans
reply reading ea_list

vulnerable samba daemon has a integer overflow
to cause remote dos by nttrans reply while the
daemon reading ea_list. In the detail, unsigned
data type offset variable in vulnerable function
of read_nttrans_ea_list can be wrap up! security
bug!


x90c

[vulnerable versions]
- samba 3.5.22 <=
- samba 3.6.17 <=
- samba 4.0.8 <=

[call graph]
+reply_nttrans // reply nttrans
+->handle_nttrans
+-> call_nt_transact_create // transact!
-> read_nttrns_ea_list(vulnerable function)

[security bug analyze]
smbd/nttrans.c
---- snip ---- snip ---- snip ---- snip ----
971 /****************************************************************************
972 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
973 ****************************************************************************/
974 EA names, data from samba incoming buffer!
975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size) // *pdata is inject vector
976 {
977 struct ea_list *ea_list_head = NULL;
978 size_t offset = 0; // unisigned
979
980 if (data_size < 4) {
981 return NULL;
982 }
983
984 while (offset + 4 <= data_size) { // XXX (3) if offset is wrap up then it enters the loop continuly
985 size_t next_offset = IVAL(pdata,offset); // unsigned XXX (1) if next_offset from pdata pointer is much large value then to lead integer wrap!
// XXX (4) may memory corruption point! if offset is wrap up then second argv pointer(pdata+offset+4) pointers around zero memory then smb dos!
986 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
987
988 if (!eal) {
989 return NULL;
990 }
991
992 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
993 if (next_offset == 0) {
994 break;
995 }
996
997 /* Integer wrap protection for the increment. */ // XXX patch code
998 if (offset + next_offset < offset) {
999 break;
1000 }
1001
1002 offset += next_offset; // XXX (2) if next_offset is large value then offset is wrap!
1003
1004 /* Integer wrap protection for while loop. */ // XXX patch code
1005 if (offset + 4 < offset) {
1006 break;
1007 }
1008
1009 }
1010
1011 return ea_list_head;
1012 }
---- snip ---- snip ---- snip ---- snip ----

---- snip ---- snip ---- snip ---- snip ----
1014 /****************************************************************************
1015 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1016 ****************************************************************************/
1017
1018 static void call_nt_transact_create(connection_struct *conn,
1019 struct smb_request *req,
1020 uint16 **ppsetup, uint32 setup_count,
1021 char **ppparams, uint32 parameter_count,
1022 char **ppdata, uint32 data_count,
1023 uint32 max_data_count)
1024 {
...
1148 /* We have already checked that ea_len <= data_count here. */
1149 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1150 ea_len);
---- snip ---- snip ---- snip ---- snip ----

---- snip ---- snip ---- snip ---- snip ----
2639 static void handle_nttrans(connection_struct *conn,
2640 struct trans_state *state,
2641 struct smb_request *req)
2642 {
...
2651 /* Now we must call the relevant NT_TRANS function */
2652 switch(state->call) {
2653 case NT_TRANSACT_CREATE: // NT_TRANSACT_CREATE!
2654 {
2655 START_PROFILE(NT_transact_create);
2656 call_nt_transact_create(
2657 conn, req,
2658 &state->setup, state->setup_count,
2659 &state->param, state->total_param,
2660 &state->data, state->total_data,
2661 state->max_data_return);
2662 END_PROFILE(NT_transact_create);
2663 break;
2664 }
---- snip ---- snip ---- snip ---- snip ----

---- snip ---- snip ---- snip ---- snip ----
2770 /****************************************************************************
2771 Reply to a SMBNTtrans.
2772 ****************************************************************************/
2773
2774 void reply_nttrans(struct smb_request *req) // smb_request!
2775 {
...
2945 if ((state->received_data == state->total_data) &&
2946 (state->received_param == state->total_param)) {
2947 handle_nttrans(conn, state, req);
---- snip ---- snip ---- snip ---- snip ----

[exploitability]

* keywords:
- samba incoming data
- EA names
- data
- 0xf1000000
- SMB NTTRANS
- Samba reply_nttrans() Remote Root Exploit
(http://www.securiteam.com/exploits/5TP0M2AAKS.html)
- SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field)
- SMBtrans
- http://ubiqx.org/cifs/SMB.html



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close